Skip to content

Commit 24006c0

Browse files
author
HackTricks News Bot
committed
Add content from: Practical Guide to IPv6 Attacks in a Local Network
1 parent fae5758 commit 24006c0

1 file changed

Lines changed: 30 additions & 0 deletions

File tree

src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -241,6 +241,35 @@ sudo ip6tables -A FORWARD -i eth0 -j ACCEPT
241241
sudo ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
242242
```
243243

244+
#### Router Advertisement Flags (M/O) & Default Router Preference (Prf)
245+
246+
| Flag | Meaning | Effect on Client Behaviour |
247+
|------|---------|----------------------------|
248+
| **M (Managed Address Configuration)** | When set to `1` the host MUST use **DHCPv6** to obtain its IPv6 address. | Whole addressing comes from DHCPv6 – perfect for *mitm6* style poisoning. |
249+
| **O (Other Configuration)** | When set to `1` the host should use **DHCPv6** only to obtain *other* information (DNS, NTP, …). | Address still via SLAAC, but DNS can be hijacked with DHCPv6. |
250+
| **M=0 / O=0** | Pure SLAAC network. | Only RA / RDNSS tricks are possible – DHCPv6 won’t be sent by clients. |
251+
| **M=1 / O=1** | Mixed environment. | Both DHCPv6 and SLAAC are used; the surface for spoofing is the largest. |
252+
253+
During a pentest you can simply inspect the legitimate RA once and decide which vector is feasible:
254+
255+
```bash
256+
sudo tcpdump -vvv -i eth0 'icmp6 && ip6[40] == 134' # capture Router Advertisements
257+
```
258+
259+
Look for the `flags [M,O]` field in the dump – no guessing required.
260+
261+
The **Prf** (Router Preference) field inside the RA header controls how attractive your rogue router looks when *multiple* gateways are present:
262+
263+
| Prf value | Binary | Meaning |
264+
|-----------|--------|---------|
265+
| **High** | `10` | Clients prefer this router over any *Medium*/*Low* one |
266+
| Medium (default) | `01` | Used by almost every legitimate device |
267+
| Low | `00` | Chosen only when no better router exists |
268+
269+
When generating the packet with Scapy you can set it through the `prf` parameter as shown above (`prf=0x1` → High). Combining **High Prf**, a **short interval**, and a **non-zero lifetime** makes your rogue gateway remarkably stable.
270+
271+
---
272+
244273
### RDNSS (DNS) Spoofing via RA
245274

246275
[RFC 8106](https://datatracker.ietf.org/doc/html/rfc8106) allows adding a **Recursive DNS Server (RDNSS)** option inside a RA. Modern OSes (Win 10 ≥1709, Win 11, macOS Big Sur, Linux systemd-resolved, …) automatically trust it:
@@ -296,6 +325,7 @@ sudo mitm6 -i eth0 --no-ra # only DHCPv6 poisoning
296325
- [RFC 8106 – IPv6 ND DNS Configuration](https://datatracker.ietf.org/doc/html/rfc8106)
297326
- [http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html](http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html)
298327
- [https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904](https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904)
328+
- [Practical Guide to IPv6 Attacks in a Local Network](https://habr.com/ru/articles/930526/)
299329

300330
{{#include ../../banners/hacktricks-training.md}}
301331

0 commit comments

Comments
 (0)